The SCGI_REMOTE_USER_MODE feature introduces a security hole on systems where
securecgi is installed. It allows an attacker who compromised the www-data
account to escalate privileges to any non-root user in a really easy way.

securecgi has other "side-effects" that can void the security of the systems
it's installed on even without REMOTE_USER_MODE.

Consider a normal webserver with mod_php4 running as user www-data, having
securecgi installed means that any user with write access to the webroot and
ability to execute securecgi from php system() or so can

 o set arbitrary rlimits and priority
  
 o gain any POSIX capabilities (not by default in Debian)
   
 o execute files as any non-root user and/or group based on the
   ownership of the file.

For additional informations see:

http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=255033
         